From 28854b5669212379c190640063be53b19f12ab88 Mon Sep 17 00:00:00 2001
From: Tim Terriberry <tterribe@xiph.org>
Date: Thu, 14 Oct 2010 01:05:50 +0000
Subject: Port the rest of r16222 from libvorbis.

Commit additional hardening to setup packet decode.


git-svn-id: https://svn.xiph.org/trunk/Tremor@17525 0101bb08-14d6-0310-b084-bc0e0c8e3800
---
 mapping0.c | 24 +++++++++++++++---------
 1 file changed, 15 insertions(+), 9 deletions(-)

(limited to 'mapping0.c')

diff --git a/mapping0.c b/mapping0.c
index 5b2107a..aa03e85 100644
--- a/mapping0.c
+++ b/mapping0.c
@@ -126,19 +126,24 @@ static int ilog(unsigned int v){
 
 /* also responsible for range checking */
 static vorbis_info_mapping *mapping0_unpack(vorbis_info *vi,oggpack_buffer *opb){
-  int i;
+  int i,b;
   vorbis_info_mapping0 *info=(vorbis_info_mapping0 *)_ogg_calloc(1,sizeof(*info));
   codec_setup_info     *ci=(codec_setup_info *)vi->codec_setup;
   memset(info,0,sizeof(*info));
 
-  if(oggpack_read(opb,1))
+  b=oggpack_read(opb,1);
+  if(b<0)goto err_out;
+  if(b){
     info->submaps=oggpack_read(opb,4)+1;
-  else
+    if(info->submaps<=0)goto err_out;
+  }else
     info->submaps=1;
 
-  if(oggpack_read(opb,1)){
+  b=oggpack_read(opb,1);
+  if(b<0)goto err_out;
+  if(b){
     info->coupling_steps=oggpack_read(opb,8)+1;
-
+    if(info->coupling_steps<=0)goto err_out;
     for(i=0;i<info->coupling_steps;i++){
       int testM=info->coupling_mag[i]=oggpack_read(opb,ilog(vi->channels));
       int testA=info->coupling_ang[i]=oggpack_read(opb,ilog(vi->channels));
@@ -152,21 +157,22 @@ static vorbis_info_mapping *mapping0_unpack(vorbis_info *vi,oggpack_buffer *opb)
 
   }
 
-  if(oggpack_read(opb,2)>0)goto err_out; /* 2,3:reserved */
+  if(oggpack_read(opb,2)!=0)goto err_out; /* 2,3:reserved */
     
   if(info->submaps>1){
     for(i=0;i<vi->channels;i++){
       info->chmuxlist[i]=oggpack_read(opb,4);
-      if(info->chmuxlist[i]>=info->submaps)goto err_out;
+      if(info->chmuxlist[i]>=info->submaps || info->chmuxlist[i]<0)goto err_out;
     }
   }
   for(i=0;i<info->submaps;i++){
     int temp=oggpack_read(opb,8);
     if(temp>=ci->times)goto err_out;
     info->floorsubmap[i]=oggpack_read(opb,8);
-    if(info->floorsubmap[i]>=ci->floors)goto err_out;
+    if(info->floorsubmap[i]>=ci->floors || info->floorsubmap[i]<0)goto err_out;
     info->residuesubmap[i]=oggpack_read(opb,8);
-    if(info->residuesubmap[i]>=ci->residues)goto err_out;
+    if(info->residuesubmap[i]>=ci->residues || info->residuesubmap[i]<0)
+      goto err_out;
   }
 
   return info;
-- 
cgit v1.2.1